We identified several things to fix:
- some toolforge puppet profiles use letsencrypt::cert::integrated. We would need to migrate to acme_chief::cert. Example: profile::toolforge::mailrelay
- toolsbeta lacks support for running acme_chief. Among other things, we need a dedicated VM for that.
- therefore, toolsbeta usually disables TLS, for example in the front-proxy we explicitly disable it. This would be good to improve, to make tools and toolsbeta more similar.
Also, worth noting there has been some conversations on IRC between @Krenair and @Andrew about simplifying the acme_chief setup in CloudVPS in general. Might be related to the problems described here.